AUSTRALIAN RISK POLICY INSTITUTE PAPER
RISK POLICY, LEADERSHIP AND DECISION MAKING
By
ADMIRAL CHRIS BARRIE AC, RAN Reserve


In this paper I want to address the intersection between risk policy and leader behaviour - in particular, leader decision making. My hypothesis is that evidence over recent years shows too many instances where we hold our leaders insufficiently accountable for the things that go wrong, when there are available suitable means for dealing with uncertainty and risk. I will finish with some particular proposals that help us to deal with this problem.
My perspective, drawn from my own experience and more recently work in the field of strategic leadership, is that leaders who are ultimately responsible for all that goes on within the organization may believe that they have a sufficient enterprise risk management profile when a Chief Risk Officer, or the like, is appointed. But I believe that in considering leader behaviour what we are discussing is leader decision making. It is the decision that the leader makes that leads to action. Sometimes it is also the case that a decision not to make a decision is also a decision! So the core question for leadership is to describe the extent and nature of top level participation in the process of analysing and evaluating risk, even thinking the unthinkable, within the organization and then taking appropriate action to deter or avoid or mitigate the consequences of risk. In other words I am seeking to promote the adoption of appropriate risk policies throughout public and private organizations in Australia. 
The Risk Policy Institute focuses on the development, promotion and adoption of risk policy as a critical part of best business practice in Australia. Risk analysis and risk management are vital business processes for the successful leader because informed decision making demands that leaders think through all possible implications of particular proposals on all stakeholders before taking action on them and taking special cognizance of unexpected and unintended consequences. In this way we seek high quality outcomes. But what if we have not assessed at all the possible consequences of highly uncertain yet catastrophic events on the enterprise and how we might mitigate important risks?
My concern is that, all too often, risk policy is inadequately implemented within most organizations. Indeed, I believe that in some organizations there is no effort to deal with risk issues in the insane belief that "she will be all right, mate". But, as we know all too often, when structures and processes collapse unexpectedly many people get hurt. We see this happening most spectacularly within the financial system. When a sudden collapse occurs we hear plenty about it because in nearly all cases many greedy, as well as some innocent, people get hurt. But, I assert that many non-financial organizations also work with the same shortcomings.
In this paper I want to use two case studies and two other publications to support my hypothesis and draw some conclusions leading to my recommendations.
The first case study concerns a well known organization that purposely adopted a particular strategy to improve its earnings and that it was that strategy had led directly to a collapse of its reputation.  In my view this case study reveals that while there had been a serious effort by the company to integrate risk analysis and risk management within the organization this turned out to be inadequate. For mitigating the risks involved by the rigorous testing of implicit assumptions underpinning the strategy that was adopted should have prevented Bear Stearns from being sold to J.P. Morgan for a fire sale price!
In November 2006 the Bear Stearns Chief Institutional Strategist and Senior Managing Director publicly presented a range of perspectives on "Making Pro-active Use of Risk Management an Integral Part of Strategic Decisions" at a CAP Conference at Columbia University(1).  In that presentation he outlined, presumably on an acceptable risk basis, the need for Bear Stearns to improve its margins by adding higher risk/margin products through subprime loans up to ten percent of total assets in order to offset low  earnings coming from more conventional low interest earnings and Federal Reserve policies designed to keep U.S. interest rates low.
Underpinning the judgments made in this presentation seemed to be the assumption that no significant changes to market trends would occur especially to the underlying interest rate, and the housing investment market.  As well I have not been able to find any evidence that there was any serious testing of whether "up to ten percent of total assets" was an acceptable level of risk at the time, or not. But I did observe the judgement in the presentation that "large amounts of investment capital remain available worldwide, ready to be deployed in a large dislocation, potentially constraining losses"! But, even worse, it seems that the internal structure of the products used to generate the income was such that the risk became more concentrated and the chance of failure multiplied - as opposed to the optimal position of higher risk products being mitigated by diversification of the "true" risk involved.
We know what happened to Bear Stearns in June 2007.
The second case study concerns recent events in the Australian financial market that highlight the potential risk to banks and other financial entities coming from entrepreneurial, and in some cases potentially criminal, behaviour by employees of large financial institutions and other operators within the Australian financial system.
What makes this case remarkable for me is that after the National Australia Bank's difficulties a few years ago the reports of certain behaviours in this case should be the sort of thing that keeps senior leaders and top level management awake at night. 
I am referring, of course, to the complexities of the Opes Prime debacle last April. It drew the following headlines in the Sydney Morning Herald(2) that month: "Collateral damage - The Opes debacle has eroded the foundations of ANZ's reputation, but there were already problems lurking in the bank that John built". The article under that headline went on to point out that the initial approach of the previous CEO of ANZ Bank to its institutional banking business had been to de-risk it, but this policy had changed when the de-risking had apparently resulted in a substantial drag on profit growth in 2004. The article also went on to ask some critical questions about the Bank's risk management procedures from that time.
For example, the SMH article points out that the ANZ Bank had in place a credit and trading risk committee with responsibility for making key credit-related decisions, but then it goes on to ask:
 "Just how effective the credit committee was in coming to terms with the dangers represented by Tricom, Opes and the Melbourne based securities firm Chimaera Capital will be a matter for an internal inquiry...But where was the credit committee - or any other kind of risk management - when the original loans were being written?"
 You may also be forgiven for thinking these are simple "oversights" until you read:
"The first loan on Tricom's books from ANZ was a $10 million facility made in 2001, at a time when Laurie Emini and Julian Smith were working with Tricom on establishing their now-infamous business model. The pair went on to found Opes...And ANZ's exposure to the businesses grew and grew, with little or no oversight from ANZ's vaunted risk-management policies."
As a consequence of leadership' s past failure to become properly involved with its own risk policies, and decision making the reputation of the ANZ Bank is at serious risk.
These two case studies are food for thought. They prompt me to ask questions about the adequacy of current risk policies and what needs to be done?
I am not alone.
For example, I have noted that in a special report on international banking two months ago, The Economist(3) has focused on risk managers(4) and their profession after looking at the extent of write downs by large international banks from January to April 2008 totalling US$38 billion. The Economist observes that "(W)hatever the type of institution, it is clear that the quality of risk management can make a very big difference to its performance...The crisis has underlined not just their importance but also their weaknesses." 
This article is quite insightful. It deals with various difficulties that had to be faced in assessing risk in a complicated and fast-moving financial world that involves very complex structures.  These difficulties can be summarized as:
"Bad decision-making does not respect sectoral boundaries;
Risk managers are aware that that they are trying to base their decisions on imperfect information;
There is likely to be more emphasis placed on non-statistical ways of thinking about risk (and) that means being more rigorous about imagining what could go wrong and thinking through the effects;
Another big challenge for risk managers lies in the treatment of innovative products...that lack historic data ...and also sit outside banks' central risk management machinery; and
Keeping risks to a size that does not inflict intolerable damage if things go awry is a fundamental lesson...It is not acceptable for a division to have a position that wipes out its own earnings, let alone those of the entire firm." 
But the final conclusion of the article draws attention to the behaviour of our leaders and our appetite for optimism. It states:
"There is an even bigger concern. Everyone is ready to listen to risk managers now, but the message is harder to transmit when the going is good...To improve risk management through the cycle, deeper change is needed." 
But now I want to look beyond the world of the financial industry and examine risk issues in the much broader context of global issues, and our future. 
In January 2008 the World Economic Forum published its most recent global risk network report - Global Risks 2008(5). The network has been part of the World Economic Forum since 2005 and this year's report was prepared by a core team from the World Economic Forum and partners, assisted by inputs from a much wider group of experts in a number of selected workshops over the previous year.  
This Report deals with emerging risks in 2008 - not only in economics but also geo-political, environment, society and technology risks. In reaching certain conclusions about the taxonomy of global risk and risk assessments in the two appendices the report spells out important views on: assessing global risks in 2008; networked world, networked risks; financial markets, risk transfer and risk mitigation; structuring mitigation at the state and international level; and taking the country risk officer forward. In broad terms this report has, inter alia, dealt with the kinds of issues I have raised here in the two case studies.
Let me point out a few key features in this Report.
In the introduction it was noted by the expert panel that "risk issues - from the liquidity crisis in financial markets to the emerging concerns over the long-term security of food supply - have focused global attention on the fragility of the global system."  
The Report goes on to ask the most important core question and that is "who owns the risk?"(6) It then states:
"Without a shared understanding of ownership, achieving trade-offs which may be necessary to mitigate global risk equitably and sustainably will be extremely difficult.
Without clarity on who is responsible for managing global risk, turning aspiration into actions will be impossible.
Without frameworks which connect ownership of risk with the responsibility to mitigate it, and which share the upside and downside of risk among stakeholders efficiently, the market mechanisms for managing risk will fail to improve our aggregate global resilience in the face of inevitable events."
The conclusion at this part of the Report is that "without leadership from the business and political communities on all of these issues, we may find our global future shaped more by risk events than by our power to anticipate, manage and mitigate them." 
I think that this question of leadership is a crucial part of what this Institute is seeking to promote. For both business and political leaders it can form the basis for a departure now on how we have organized in the past. Let me explain how.
 It seems to me that leaders in all walks of life need to start thinking about how respective organizations should grapple with the kinds of events that we once would have described as "unthinkable". Moreover, I think the information given in the Appendices of the Global Risks Report give us a good basis on which to begin our journey towards accepting the challenge presented by sharing the ownership of shared risk.
Finally, I want to recommend an appropriate way of highlighting our strengths and weaknesses in coping with these significant challenges. 
I believe it is a good idea in all organizations to use scenario games to provoke senior leadership into thinking about how to deal with uncertainty. It is not enough to simply think that we know how to respond in a particular set of circumstances, but we should also test realistically our capacity to mitigate risk properly and deal with the consequences should they arise.
The value of a regular programme of scenario games can be considerably enhanced by the creation of a "red" team whose job it is to dream up testing, yet realistic, scenarios for top leadership to deal with as though the "fiction" is the "reality". This is a process that I have used in the past with enormous benefit and, to be frank, I believe it prepared us to deal much more effectively with some of the security challenges we faced.
By using a free-play red team we can also ameliorate some of the imperfections of "stress-testing" as pointed out by the Economist article in the discussion about the plausibility of scenarios or uncertainties(7). I support the notion that "a qualitative approach is an essential complement to a quantitative one" but only on the basis that all those people with top level leadership and decision making responsibilities get involved. The insights provided by good scenario games are far too important to be left to the risk managers.
Turning to the examples I have given at the beginning of this presentation I wonder how Bear Stearns may have seen its fortunes evaporating when ten percent of its total assets had been washed away by some unforeseen turn of events and the assumptions made to support this particular initiative had proved wrong. Or closer to home, how do the regulators, the market authorities and institutional leaders assess their vulnerabilities and capacity to deal with in-house entrepreneurs and others who are determined to act at least unethically, if not criminally, in today's very complicated financial system?
The Global Risks 2008 Report I have promoted strongly here today is impressive. It is comprehensive - foretelling the recent earthquakes in China or the floods in Burma. It also deals in steep rises in energy costs, a food supply crisis and other catastrophes. Consequences are estimated in cost and lives lost against a particular estimated level of uncertainty.
I contend that at the intersection between risk policy and leader behaviour - in particular, leader decision making, the use of this Report to build qualitative scenarios to test our responses will inevitably prompt us to take action now to build a better world.


1 Leo M. Tilman in power point Presentation "Making Pro-active Use of Risk Management an Integral Part of Strategic Decisions" presented 3 November 2006. Available at www.bearstearns.com
2 Sydney Morning Herald Weekend Edition 25-27 April 2008. Business and Financial Section.
3 The Economist 17th May 2008. "Paradise Lost" A special report on international banking. 
4 Ibid p 11 "Professionally Gloomy - Risk Managers take a Hard Look at Themselves"
5 World Economic Forum, "Global Risks 2008", published January 2008 
6 WEF Report p5
7 The Economist special report p11.